summaryrefslogtreecommitdiff
path: root/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch
diff options
context:
space:
mode:
Diffstat (limited to 'source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch')
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch95
1 files changed, 95 insertions, 0 deletions
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch
new file mode 100644
index 00000000..8ae4abfd
--- /dev/null
+++ b/source/a/pam/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch
@@ -0,0 +1,95 @@
+From 05aa693b7db6b818d31e41f0cab1d5fb4f49600e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Thu, 15 Nov 2018 15:58:56 +0100
+Subject: [PATCH] pam_unix: Prefer a gensalt function, that supports auto
+ entropy.
+
+* modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
+* modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
+* modules/pam_unix/support.c: Fix sanitizing of rounds parameter.
+---
+ modules/pam_unix/pam_unix_passwd.c | 2 +-
+ modules/pam_unix/passverify.c | 13 +++++++++++++
+ modules/pam_unix/support.c | 7 +++++--
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+Index: Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
+===================================================================
+--- Linux-PAM-1.3.1.orig/modules/pam_unix/pam_unix_passwd.c
++++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
+@@ -607,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
+ unsigned int ctrl, lctrl;
+ int retval;
+ int remember = -1;
+- int rounds = -1;
++ int rounds = 0;
+ int pass_min_len = 0;
+
+ /* <DO NOT free() THESE> */
+Index: Linux-PAM-1.3.1/modules/pam_unix/passverify.c
+===================================================================
+--- Linux-PAM-1.3.1.orig/modules/pam_unix/passverify.c
++++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c
+@@ -375,7 +375,12 @@ PAMH_ARG_DECL(char * create_password_has
+ const char *password, unsigned int ctrl, int rounds)
+ {
+ const char *algoid;
++#if defined(CRYPT_GENSALT_OUTPUT_SIZE) && CRYPT_GENSALT_OUTPUT_SIZE > 64
++ /* Strings returned by crypt_gensalt_rn will be no longer than this. */
++ char salt[CRYPT_GENSALT_OUTPUT_SIZE];
++#else
+ char salt[64]; /* contains rounds number + max 16 bytes of salt + algo id */
++#endif
+ char *sp;
+ #ifdef HAVE_CRYPT_R
+ struct crypt_data *cdata = NULL;
+@@ -406,6 +411,13 @@ PAMH_ARG_DECL(char * create_password_has
+ return crypted;
+ }
+
++#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
++ /*
++ * Any version of libcrypt supporting auto entropy is
++ * guaranteed to have crypt_gensalt_rn().
++ */
++ sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt));
++#else
+ #ifdef HAVE_CRYPT_GENSALT_R
+ if (on(UNIX_BLOWFISH_PASS, ctrl)) {
+ char entropy[17];
+@@ -423,6 +435,7 @@ PAMH_ARG_DECL(char * create_password_has
+ #ifdef HAVE_CRYPT_GENSALT_R
+ }
+ #endif
++#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */
+ #ifdef HAVE_CRYPT_R
+ sp = NULL;
+ cdata = malloc(sizeof(*cdata));
+Index: Linux-PAM-1.3.1/modules/pam_unix/support.c
+===================================================================
+--- Linux-PAM-1.3.1.orig/modules/pam_unix/support.c
++++ Linux-PAM-1.3.1/modules/pam_unix/support.c
+@@ -175,6 +175,7 @@ int _set_ctrl(pam_handle_t *pamh, int fl
+
+ if (val) {
+ *rounds = strtol(val, NULL, 10);
++ set(UNIX_ALGO_ROUNDS, ctrl);
+ free (val);
+ }
+ }
+@@ -254,11 +255,13 @@ int _set_ctrl(pam_handle_t *pamh, int fl
+ if (*rounds < 4 || *rounds > 31)
+ *rounds = 5;
+ } else if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
+- if ((*rounds < 1000) || (*rounds == INT_MAX))
++ if ((*rounds < 1000) || (*rounds == INT_MAX)) {
+ /* don't care about bogus values */
++ *rounds = 0;
+ unset(UNIX_ALGO_ROUNDS, ctrl);
+- if (*rounds >= 10000000)
++ } else if (*rounds >= 10000000) {
+ *rounds = 9999999;
++ }
+ }
+ }
+